Role or Entitlement Change Validation Checklist

Before you begin

1. Verify your downstream applications connected to Clarity are configured correctly

   1. Check the Trust Permission setting for each application

   2. Check each application has an appropriate username rule configured for it

2. Complete the Role Configuration Checklist

3. Designate a Role to be used for testing, it's good to have a wide range of applications included in this role for testing purposes.

1. Create custom “Identity Modified” workflow with a “Condition: Identity Attribute” to limit the scope of the workflow

   1. Use a descriptive name (to help indicate this is for testing, desired scope, etc.)

   2. Add Trigger: Identity Modified

   3. Add Action: Find/Create Identity Role

   4. Add a condition to limit the scope of this workflow (Condition: Identity Attributes or Condition: Identity Roles)

   5. Add Action: Re-Provision Identity

      1. Configure the Action: Re-Provision Identity step in your workflow to match your desired outcome (Deprovision Expiration: never, immediate, custom)

   6. Optional: Add the Action: Push Identity Attributes

   7. Click the blue Save button in the upper right

2. Create a custom “Under-Provisioned” workflow with a Condition to limit the scope of the workflow to a particular Department, Department and Job Title, or Role, etc.

   1. You may have completed this step already during the Joiners Checklist

   2. Choose a name to indicate this workflow is for testing

   3. Add Trigger: UnderProvisioned Identity Detected

   4. Use a Condition (Identity Attributes or Identity Roles) to limit the scope of the workflow to a particular Department, or Department and Job Title, or Role

   5. Add Action: Provision Identity

   6. Click the blue Save button in the upper right

3. Modify Existing Identity Modified Workflow (this is to remove provisioning actions for all Identities not included in the scoped workflow above).

   1. Remove Action: Re-Provision Identity

   2. Optional: Remove the Action: Push Identity Attributes

   3. Click the blue Save button in the upper right

4. Enable your custom Identity Modified workflow

5. Enable your custom UnderProvisioned Detector workflow

6. Change the attributes that correspond to your Clarity Organizational Units in your HRIS to trigger someone to change Roles within Clarity

7. Wait or Sync the above application to trigger Clarity to pull in the changes.

   1. After the sync is complete, refresh your webpage, and search for your Test user

8. For each application with an associated Entitlement on the new role, check that the downstream Service User has any new entitlements from the new role

9. For each application with an associated entitlement on the role, check that all of the expected entitlements

10. Check for Entitlements from the previous role have been successfully removed from the Identity (or receive a proper expiration date).

11. Re-Enable or add the Re-Provisioning Step to your Identity Modified workflow

    1. Confirm your non-scoped Workflow with Identity Modified Trigger has the Action: Re-Provision Identity correctly configured (Deprovision Expiration: never, immediate, custom)

12. Re-Enable or remove condition steps from your Under-Provisioned Detector workflow

    ---

    If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.